CVE-2024-5756: 
WordPress vulnerability analysis and mitigation

A critical vulnerability identified as CVE-2024-5756 affects the Email Subscribers by Icegram Express plugin for WordPress. The vulnerability was discovered by security researcher Arkadiusz Hydzik and was publicly disclosed on June 20, 2024. This flaw affects all versions up to and including 5.7.23 of the plugin, which has over 90,000 active installations (Security Online, CVE Mitre).

The vulnerability is classified as a time-based SQL Injection that occurs via the db parameter. The issue stems from insufficient escaping on user-supplied parameters and lack of proper preparation in existing SQL queries. With a CVSS score of 9.8 (Critical), this vulnerability allows unauthenticated attackers to append additional SQL queries into existing ones (Wordfence).

The vulnerability could potentially lead to unauthorized access to sensitive information stored in the WordPress site's database. This includes customer lists, email addresses, and personal information. Given the plugin's widespread use in email marketing, campaign management, and newsletter distribution, the potential impact affects a large number of businesses and individuals (Security Online).

The developers have released version 5.7.24 of the Icegram Express plugin to address this vulnerability. Website administrators are strongly advised to update their installations immediately to this latest version. Additionally, it is recommended to audit database and website logs for any suspicious activity (Security Online).